Cyberattacks and Cargo Theft: RMM Risk in Logistics
The impact of cyberattacks on cargo theft: how phishing and RMM software hijack goods in logistics. Here's what to know about the new scenarios.
The FBI recently warned the transportation industry about a sharp rise in cargo thefts facilitated by compromised cybersecurity. Estimated losses from cargo thefts in the United States and Canada reached nearly $725 million in 2025. Cyberattacks are erasing the line between digital security and physical security, allowing organized crime to hijack entire shipments of goods in the real world.
The context of cargo theft and the FBI warning
The evolution of organized crime has found particularly vulnerable ground in the logistics sector, where the intersection of cyber threats and physical theft is becoming increasingly marked. As reported by recent assessments, "The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025." This warning underscores a paradigm shift: malicious actors are no longer limited to stealing data or encrypting it to demand ransom, but manipulate IT systems to physically steal goods.
The convergence between cybersecurity and physical security represents a complex challenge for brokers and carriers. Transportation companies see their shipments hijacked through digital compromises that exploit the industry's standard operating procedures. The criminals' ability to manipulate logistics transactions through remote access demonstrates a deep understanding of commercial operational dynamics, making a profound revision of perimeter and internal defenses necessary.
The anatomy of the attack: phishing and social engineering
The attack campaigns monitored by Proofpoint since late August 2025 have distributed thousands of malicious messages, following a precise methodology that combines social engineering with the misuse of remote management tools. The attackers employ three main social engineering tactics to deceive victims: load board compromise, email thread hijacking, and direct email campaigns.
The compromise of load boards, the digital platforms where brokers and carriers meet to organize freight transport, is crucial. By taking over these accounts, criminals can post fraudulent loads or intercept legitimate ones. Email thread hijacking, on the other hand, allows attackers to insert themselves into ongoing conversations between industry operators, modifying delivery instructions or shipping documents without the legitimate parties noticing. Direct email campaigns complete the picture, aiming to directly infect the terminals of brokers and carriers with specific payloads.
The role of RMM tools in evading security
The ultimate goal of these social engineering campaigns is to induce victims to install Remote Monitoring and Management (RMM) software. Among the abused RMM software are ScreenConnect, PDQ Connect, SimpleHelp, N-able, Fleetdeck, and LogMeIn Resolve. The use of legitimate RMM tools represents a sneaky and targeted variant for the logistics sector. These programs, originally designed for technical support and IT fleet management, are exploited to gain persistent remote access to victims' systems.
Because attackers exploit signed and legitimate installers, this approach allows them to evade traditional detection systems. The use of legitimate tools is likely to reduce suspicions from operators and antivirus software, allowing criminals to operate undisturbed within compromised networks. Current campaigns have been linked to previous activities that distributed NetSupport and other data-stealing software, although the recent criminal activity has not been attributed to a known threat actor. The presence of signed RMM installers makes the attack identification and containment phase particularly complex for security teams.
The execution of physical goods theft
Once access to brokers' and carriers' systems is obtained via RMM software, the attackers exploit industry workflows to coordinate physical thefts. As highlighted by Proofpoint, "By infecting freight brokers and trucking carriers with Remote Monitoring and Management (RMM) software, these attackers are successfully stealing commercial shipments ranging from electronics to energy drinks." The range of stolen goods demonstrates that criminals do not have specific targets by cargo type, but rather aim for any valuable shipment that is easily resold.
Through remote access, malicious actors post fraudulent loads on compromised load boards and manipulate pickup instructions. By hijacking communication threads, they provide drivers with false instructions for picking up goods, physically diverting the truck to criminal-controlled locations. This method effectively erases the distinction between a cyberattack and a physical heist, as the digital intrusion translates directly into the tangible loss of the cargo.
Defense and mitigation strategies for logistics
To counter this growth in threats, transportation and logistics companies must adopt an integrated security approach. It is a priority to limit the use of RMM software to approved and verified tools only. Organizations should also constantly monitor the network to identify suspicious activity toward unauthorized RMM servers, as this often represents the first sign of an ongoing compromise.
Another necessary practice is to avoid downloading and installing executable files (.exe or .msi) received via email from unverified external senders. Since attacks exploit social engineering through direct messages and communication compromises, training staff to recognize phishing attempts and immediately report any suspicious activity becomes an essential step. Cargo theft is a growing criminal enterprise, and data shows that malicious actors are increasingly targeting transportation companies to steal real physical goods. Losses are expected to continue rising if adequate defense measures are not implemented.
Frequently asked questions
- How do cyber-enabled cargo thefts occur?
- Criminals use phishing and social engineering to compromise the systems of logistics brokers and carriers, installing legitimate RMM software to gain remote access. Once inside, they manipulate communications and freight exchange platforms to physically hijack shipments.
- Which RMM software is exploited in these cyberattacks?
- Attackers abuse legitimate remote monitoring and management programs like ScreenConnect, PDQ Connect, SimpleHelp, N-able, Fleetdeck, and LogMeIn Resolve. Their signed installers evade traditional security systems.
- What are the three social engineering tactics used for cargo theft?
- The three main tactics include the compromise of load boards (freight exchange platforms), the hijacking of email threads among operators, and the sending of direct email campaigns containing thousands of malicious messages.
The information has been verified on the cited sources and updated at the time of publication.
Sources
- https://www.agendadigitale.eu/sicurezza/logistica-sotto-attacco-quando-il-cybercrime-diventa-furto-di-merci/
- https://trasportale.it/ecco-come-il-cybercrime-punta-al-settore-della-logistica
- https://www.lineaedp.it/rubriche/sicurezza/la-logistica-fa-gola-al-cybercrime/
- https://techbusiness.it/cybersecurity-logistica-furto-merci-accesso-remoto-proofpoint/
- https://socprime.com/active-threats/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics/